Reply to "Comment on 'Security proof for cryptographic protocols based only on the 

monogamy of Bell's inequality violations' " 



M. Pawlowski 

Department of Mathematics, University of Bristol, Bristol BS8 1TW, U.K. 

In this reply I address the comment by W-Y. Hwang and O. Gittsovich on my paper [Phys. Rev. 
A 82, 032313 (2010)]. The authors of the comment point out that I use implicit assumption that 
the alphabet of the eavesdropper is binary. They claim that such assumption is unrealistic. Here I 
show that even without this assumption the main result of my paper still holds. 
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The authors of the comment [5] make an observation 
that 



and 



Pb> Pe^ I {A : B) > I (A : £) 



(1) 



holds only if the alphabet of £ is binary. This is true 
as the example provided in the comment clearly shows. 
Since the proof presented in my paper pQ uses this im- 
plication in one step it holds only for the attacks of the 
adversary with the limited outcome alphabet, which is 
not very realistic. However, this problem can be easily 
overcome by the slight modification of the proof which I 
present below. 

We may write the condition 



I (A : B) > I (A : 8) 



(2) 



as 



H(A) - h{P B ) > H(A) - ^2 Pi h{P{A = Q|i)) (3) 

i 

where h(.) is binary Shannon entropy function and pi is 
the probability that Eve's outcome is i. We may get rid 
of the identical terms on the both sides of the inequality 
and write it as 



h(p B ) < J2pMp(a = o\i)). 



(4) 



Let P E \i denote the probability of Eve correctly guess- 
ing the Alice's outcome when her outcome is i. Be- 
cause h(P(A = 0\i)) = h(P(A = l\i)) and P E[i is 
just ma,x{P(A = 0\i),P(A — we may substitute 

h(P(A = 0\i)) = h(P E \i)- Pe is, obviously, equal to the 
weighted sum of these probabilities 



Pe = y^pjPm- 



(5) 



Now, we can use the concavity of the binary entropy to 
claim that for the given value of P E the smallest value 
of *^2iPih{P E \i) is obtained when the probabilities P E \i 
take only the values \ or 1. If p denote the sum of all pi 
such that P E \i 



then 



P E = 1-- 2 P 



(6) 



Pih(P E \i) > P = 2(1 - P E ) 



(7) 



Now, plugging it into Q 
condition to guarantee (|2| 



one sees that the sufficient 



h(P B ) < 2(1 - P E ). 



(8) 



This is how Eq.(ll) from my original paper should look 
like if the arbitrary alphabet for the adversary is allowed. 
Following the same line of reasoning as in the paper one 
can obtain the updated version of the general condition 
expressed in Eq.(27) which now becomes 



h{0r(A,B)) < 3 



4/#( 



<A,B)). 



(9) 



This new condition implies new critical values of 
P(A,B) required for the security of the protocol. They 
can be found, just as in pQ, by substituting the 
monogamy condition for a given theory T' for f^fi (•) in 
((9J. For QM monogamy the critical value is 0.841 which 
is below the Tsirelson bound (0.854). For NS monogamy 
the critical value is 0.881 which again is within the reach 
of no-signalling theories as they allow for the values up 
to 1 [3]. 

Just as in |T] the condition Q can be repre- 
sented graphically and the critical values for different 
monogamies found as the coordinates of the points where 
the line corresponding to this condition intersects the one 
corresponding to the given monogamy. The updated ver- 
sion of the fig 1. from pQ is presented below. 
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FIG. 1: Monogamy relations for different theories are plotted. 
The sufficient condition for the security of the key distribution 
protocol Q is described by the line that passes through P. 
The intersection of this line with monogamy relation for any 
specific theory T gives the critical value of Pt{A, B) above 
which Alice and Bob can have secure communication. More 
explicitly, if A and B estimate their P(A, B) to be greater 
than Pt(A,B), they can have secure communication against 
individual attacks of the eavesdropper who has access to the 
resources of theory T. Point P has its horizontal coordinate 
equal to the Tsirelson bound, so for any theory T that inter- 
sects the sufficient condition line before P, it is possible for 
A and B to have a quantum protocol secure against attacks 
from T regime. With the unlimited alphabet of the eaves- 
dropper QM monogamy still intersects the line corresponding 
to the condition [9] before P, which means that the quantum 
resources can guarantee the security against the eavesdrop- 
per limited by the monogamy resulting from the quantum 
theory. However, in contrast with the situation where the 
alphabet of the eavesdropper is binary, the same resources 
are not enough against the eavesdropper limited only by the 
no-signalling condition. 



